Server Hacked Thanks to Insecure PHP Script

September 7th, 2010 by Chris

I get frustrated sometimes. I run my business, and I probably really could benefit from hiring out more of the work instead of doing it myself, but I have gotten burned so many times. People walking off without finishing jobs, cash in hand, I’ve probably lost $10,000 through the years to that problem. That is like a small car being stolen. Or I end up with people providing substandard work, vastly reducing the value I get for my dollar. It doesn’t seem to matter if I take a low bid or a high one, I’ve gotten burned both ways.

I had hired through elance a company called Value on Web to do some programming for me last year. They had good feedback and lots of completed projects, including one just like what I wanted. Their bid was not even close to the lowest.

Look at this code they did:

if ($_POST['submitForm'] == "yes") { if($_FILES['store_image']['size'] >0){ $image1 =date("Ymds")."_".$_FILES['store_image']['name']; move_uploaded_file($_FILES['store_image']['tmp_name'],'../store_pic/'.$image1); //@resize_img('../store_pic/'.$image1,150,100, false, 80, 0, ""); copy("../store_pic/".$image1,"../store_pic/thumb/".$image1); //@resize_img('../store_pic/thumb/'.$image1,52,100, false, 80, 0, ""); }

This is a bit of a script to handle an uploaded image.

These so called professionals thought this was good enough, can anyone see the problems?

You absolutely always need to check what sort of file is being uploaded when you accept uploads or you could unwittingly allow people to upload malicious scripts and code. You can check the mimetype of the file, and definitely the extension. If the file is not an image mimetype, reject it. If the file does not end with (not include, but end with, otherwise someone could upload image.jpg.php) .jpg (or .gif or .png, etc) reject it. Also, have the system generate the filename randomly, so the user cannot access it after upload.

This isn’t a secret, this isn’t complicated code, had they done a basic google search for how to do a php image upload they would have found numerous examples of code that they could copy and paste that would do this. They were just lazy, or they didn’t know any better. I’m not sure which is worse.

I expect when I pay thousands of dollars to a company I don’t need to go over every line of their code to make sure it works, if I need to do that, I might as well just code it all myself.

So, my server was hacked, website homepages were defaced, and I spent an evening cleaning it up. The extent of the infiltration was such that I am no longer comfortable with this server, it is tainted. So I’ve decided to get a new server and migrate all sites. Thankfully cPanel/WHM has AWESOME migration tools that can move a site in minutes instead of the hours it used to take me manually. This is hugely beneficial when you have many sites. Also, the server was 4 years old so probably about time to get a new one anyways, and because of Moore’s law and whatnot, my new server will be 3x more powerful for the same monthly price.

Don’t think that this can’t happen to you, it can. Botnets scour the Internet for insecure forms, no matter how small and insigicant your site is you can and will be targetted because everything is automated. I believe most servers end up probed within minutes of being hooked up to the Internet.

Posted in: General, Website Development, Website Management » by: Chris

5 Responses to “Server Hacked Thanks to Insecure PHP Script”

wesley Says:
September 7th, 2010 at 10:34 am
You should require all projects to be done in some sort of PHP framework, something like kohana or yii. In my experience that will get rid of a lot of the crap firms… Plus, these frameworks have several security standards built in (file uploading, sql escaping, etc..)
Karen Mae Farro Says:
September 28th, 2010 at 9:07 am
The success of a certain business depends not only to the manager but also to the staff. It is just so annoying sometimes to have such an irresponsible employee which is not dedicated or serious with work. What I do, actually, is to base their income on their output. That way they are motivated to work hard and better.
Mark Bridgeman Says:
November 12th, 2010 at 6:27 am
I fully agree with the above, as I professional web builder I have had servers hacked in the past when I’ve taken over someone else’s website as the customer was unhappy with the previous company. I’m older and wiser now and understand that I should not take it on face value that another companies code is ok simply because they are ‘professionals’. I’ve learned that they might be competent, but ‘competent’ and ‘professional’ are not the same thing. Furthermore there is nothing worse than picking through someone elses unfamiliar code…
Marco Demaio Says:
December 15th, 2010 at 1:27 pm
the truth is that security is not a good marketing word, people expect security as normal part of the job, like when at the supermarket they buy a can of beans they expect not to find inside a moldy one so they just look at the color of the sticker on the can and at the advertisement they saw on tv show. But good programmers are usually not good in marketing, and beside you not many people are willing to pay so many bucks for programmers.
Hamid Says:
June 18th, 2011 at 5:14 am
I had similar experience with same company VALUE ON WEB and selected them for same reasons. I ended us losing a lot of money and when tried to have code reviewed by new company got this response –
“Hello Hamid, Thanks for sending over the files, unfortunately the code is awful. You have about 300 PHP files which all have html and php code together. Not even the slightest separation has been attempted. Also, just a warning, the project has a big security risk. All queries on the database are not protected against even the most basic attacks like sql injections. From what we could see Zend has not been used at all. Given the current status we can’t take over the existing code. Let me know your thoughts. Best wishes, Paul”